i think yes, now we will show frr logs for unhandled exceptions and normal short messages for others e.g. route-reflector-client only supported for iBGP peers
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Apr 10 2024
Apr 10 2024
HollyGurza added a comment to T6106: Improve the commit error message for the case when route-reflector-client option is defined in a peer-group.
Giggum added a comment to T5694: NTP should always be allowed from localhost and bindaddress/binddevice can only exist once.
I gave it a go due to similarities between this and https://vyos.dev/T6123.
Apr 9 2024
Apr 9 2024
Started on a PR: https://github.com/vyos/vyos-1x/pull/3288
Viacheslav triaged T6218: Container network interface in VRF fails to generate IPv6 link-local address as Normal priority.
My specific use case is a container that requires --sysctl=net.ipv4.conf.all.forwarding=1
jvoss updated the task description for T6218: Container network interface in VRF fails to generate IPv6 link-local address.
Mark it as resolved, reopen the task if required.
Viacheslav added a comment to T6106: Improve the commit error message for the case when route-reflector-client option is defined in a peer-group.
Was it fixed?
Viacheslav changed the status of T6106: Improve the commit error message for the case when route-reflector-client option is defined in a peer-group from In progress to Needs testing.
@MattK Could you re-check and close it?
Viacheslav changed the status of T6132: Conntrack-sync Internal Cache Growing Uncontrollably from Open to Needs reporter action.
Viacheslav changed the status of T6212: Firewall offload counters show always zero from Open to Needs testing.
@tjh Any updates?
By the way there is a new option
vyos@r4# set service conntrack-sync disable-syslog [edit] vyos@r4#
https://conntrack-tools.netfilter.org/manual.html#sync-aa
conntrackd allows you to deploy an symmetric Active-Active setup based on a static approach. For example, assume that you have two virtual IPs, vIP1 and vIP2, and two firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the firewall FW1 and the vIP2 to the FW2.
Viacheslav added a project to T6217: Set the log id of the VRRP contrack-sync script to vyos-vrrp-conntracksync: Restricted Project.
@trae32566 Can you provide the next output?
sudo conntrackd -C /run/conntrackd/conntrackd.conf -s && echo "conntrack_count: " && sudo conntrack -C sudo conntrackd -C /run/conntrackd/conntrackd.conf -s network sudo conntrackd -C /run/conntrackd/conntrackd.conf -s cache sudo conntrackd -C /run/conntrackd/conntrackd.conf -s runtime sudo conntrackd -C /run/conntrackd/conntrackd.conf -s link sudo conntrackd -C /run/conntrackd/conntrackd.conf -s queue
Viacheslav triaged T6217: Set the log id of the VRRP contrack-sync script to vyos-vrrp-conntracksync as Low priority.
n.fort changed the status of T6216: Firewall group names that contain the '+' character break the config from Open to Confirmed.
n.fort added a comment to T6213: Validations in firewall groups mistakenly reject correct configurations.
Viacheslav moved T6121: Extend service config-sync for sections vpn, policy, vrf from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
Viacheslav edited projects for T6121: Extend service config-sync for sections vpn, policy, vrf, added: VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta (1.4.0-epa2).
Viacheslav moved T6121: Extend service config-sync for sections vpn, policy, vrf from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav changed the status of T5858: Improve the formatting of conntrack statistics output from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/3280
vyos@r15-left:~$ show conntrack statistics CPU Found Invalid Insert Insert fail Drop Early drop Errors Search restart ----- ------- --------- -------- ------------- ------ ------------ -------- ---------------- -- -- 0 0 280 0 1 1 0 1 0 2 0 1 0 73 0 0 0 0 126 0 1 0 vyos@r15-left:~$
n.fort renamed T6214: Error when using some constraints from Error when using some contraints to Error when using some constraints.
Giggum updated the task description for T6123: Limit NTP allow-client config to internal addresses by default.
Giggum updated the task description for T6123: Limit NTP allow-client config to internal addresses by default.
Apr 8 2024
Apr 8 2024
Giggum added a comment to T6099: Suppress unsupported interfaces from appearing in messages log by Telegraf .
In T6099#182627, @Viacheslav wrote:@Giggum Can you check it in 1.5?
Yeah sure thing I can do that. Will I be able to roll back from the latest 1.5 to the version of 1.4 rolling I’m on after testing is complete or will the config mess up?
c-po edited projects for T6173: Build Causes Errors When "--version" Contains Slashes ("/"), added: VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta (1.4.0-epa2).
n.fort moved T6068: Support active-active and active-passive high availability modes in DHCP server from Open to Finished on the VyOS 1.5 Circinus board.
n.fort moved T6068: Support active-active and active-passive high availability modes in DHCP server from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav changed the status of T3437: BGP Confederation Addition Causes Error from Needs testing to Confirmed.
n.fort changed the status of T6213: Validations in firewall groups mistakenly reject correct configurations from Open to In progress.
Rechecked - The issue exists.
a.apostoliuk changed the status of T6196: route-map and summary-only do not work in BGP aggregation at the same time from Unknown Status to Resolved.
After deleting and adding the firewall, it looks good
So, for some reason, the rule 10 and default action accept were applied 2 times to the firewall
chain VYOS_FORWARD_filter {
type filter hook forward priority filter; policy accept;
counter packets 928376 bytes 1800341472 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10"
counter packets 928376 bytes 1800341472 accept comment "FWD-filter default-action accept"
counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-10"
ct state { established, related } counter packets 0 bytes 0 flow add @VYOS_FLOWTABLE_FLOWTABLE comment "ipv4-FWD-filter-20"
counter packets 0 bytes 0 accept comment "FWD-filter default-action accept"
}a.apostoliuk moved T6197: Validation error in the IPoE server interface client-subnet option from Open to Finished on the VyOS 1.5 Circinus board.
a.apostoliuk changed the status of T6197: Validation error in the IPoE server interface client-subnet option from In progress to Needs testing.
probably related task T5660
Apr 7 2024
Apr 7 2024
Viacheslav added a project to T5169: Add CGNAT Carrier-Grade NAT based on nftables: VyOS 1.5 Circinus.
sarthurdev changed the status of T6163: kea-dhcp4-server crashes due to incorrect lease file permissions after 1.5-rolling-202403120022 -> 1.5-rolling-202403230018 upgrade from Confirmed to Needs testing.
c-po moved T5862: Default MTU is not acceptable in some environments from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
c-po closed T6205: ipoe: error in migration script logic while renaming mac-address to mac, a subtask of T5938: Migration fail root task for 1.4-rc, as Resolved.
c-po closed T6205: ipoe: error in migration script logic while renaming mac-address to mac as Resolved.
c-po moved T6205: ipoe: error in migration script logic while renaming mac-address to mac from Open to Finished on the VyOS 1.5 Circinus board.
c-po moved T6205: ipoe: error in migration script logic while renaming mac-address to mac from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0) board.
c-po moved T6208: container: rename "cap-add" CLI node to "capability" from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
sarthurdev changed the status of T6163: kea-dhcp4-server crashes due to incorrect lease file permissions after 1.5-rolling-202403120022 -> 1.5-rolling-202403230018 upgrade from Open to Confirmed.
Viacheslav changed the status of T1641: VRRP conntrack-sync dropping packets passing through the router from Open to Needs reporter action.
@Daya @trae32566 Any updates?
Apr 7 2024, 5:11 PM · Restricted Project, VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus
Viacheslav added a comment to T5966: Adjust dynamic dns configuration address subpath to be more intuitive and other op-mode adjustments.
@indrajitr Can we close it?
@indrajitr Can we close it?
Viacheslav changed the status of T4588: BGP Peer Group Scaling issues from Open to Needs reporter action.
Viacheslav closed T6039: cloud-init DNS search-domain causes configuration migration/validation error, a subtask of T5907: cloud-init root task for 1.5 and 1.4 , as Resolved.
Viacheslav added a subtask for T5907: cloud-init root task for 1.5 and 1.4 : T6112: Cloud Init Ordering Incorrect.
Viacheslav added a parent task for T6112: Cloud Init Ordering Incorrect: T5907: cloud-init root task for 1.5 and 1.4 .
Viacheslav added a comment to T6099: Suppress unsupported interfaces from appearing in messages log by Telegraf .
@Giggum Can you check it on 1.5?
It is easy to add
In FRR it looks like:
r4(config-rpki)# rpki cache 192.0.2.1 8888 SSH_UNAME SSH user name preference Preference of the cache server source Configure source IP address of RPKI connection
Viacheslav triaged T6209: Improve Configuration Load/Commit Speed by moving away from deep-tree flat-file backend as Normal priority.
PoC PR https://github.com/vyos/vyos-1x/pull/3274
set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '1000' set nat cgnat pool external ext1 range 192.0.2.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'int1' set nat cgnat rule 10 translation pool 'ext1'
For me personally this change makes sense: a router has multiple interfaces, the Source IP is selected in different ways, and especially for RPKI servers outside the network (public ones), this could even break connectivity. Vendors like Juniper had this issue and eventually added the option, which means probably VyOS will benefit too, especially since "it's just setting a value in FRR's config"™ (famous last words ;).
Yes and no. Even before I created this ticket, I tried a small test locally. Unfortunately, I was not able to get the tests to run (even without my changes).
@Loremo I think this contribution would be valuable. Have you made any progress with your PR?
Great 😃
Hi -- this works. The VTI interface is just another interface so you can add it to a firewall zone just as you would an Ethernet interface. This can be done with existing site-to-site ipsec VTIs today. I also do it with OpenVPN interfaces for remote access on some of my installations.
This would be really useful. As per: https://forum.vyos.io/t/other-than-console-how-to-pass-grub-parameter-pcie-aspm-off/14203